Hello, I'm a recentish follower of ha.ckers I've only just plucked up enough courage to post my introduction.

I'm a first (moving to second) year Internet Computing student in the UK. A fourth year who spent the majority of his "Java demonstrator" time on his knees trying to explain the concept of Objects [to me], introduced me to the web application security lab after a discussion on what my course involves.

In my third year I'll be moving into the more meaty part of my course, and while I'm sure security will be a taught part of the course, I don't see there being any harm in learning before my class runs. From what I gather since the IT professionals "create" the holes in security, the more I understand about the holes you guy's are finding then the less likely the chance that I'll repeat those you find. Theoretically.

I'm here to read, learn and make you wish you had a baseball bat to force concepts into my head ;)

I'm most interesting in HTML/CSS/JAVA/JavaScript/XML (I am still learning the last three and building knowledge on the first two. Apparently there is more to HTML than what I thought(?)) although I'm becoming interested in database/php/mySQL, especially on the security end.

That was a great intro. I'm glad you posted what you're learning in school, that's useful to know. And yes, there is a lot to HTML that most people don't realize. If you have Firefox go here: view-source:http://ha.ckers.org/weird/dandb.html I show this to people who tell me they know HTML. HTML is extremely complicated, and 80% of the tactics used on the XSS Cheat Sheet uses tricks in HTML that most people never think about, let alone program against.

I had a look at the source and my jaw dropped - is there another "bit" to the html or is the whole thing JUST HTML. I have never seen half of those tags and the other half I haven't seen used in that way - you have me intrigued! :D

I have had a look at the XSS Cheat Sheet, but since I'd never heard of XSS before I was introduced to ha.ckers.org I'm still finding it difficult to understand/use. I have this intimidation-fear of new languages before I actually start to use them.

Is HTML a markup language for layout (although seeing the dandb.html file and after seeing how meta tags can be used I think it can do more than just let a web page look pretty) and XSS is a programming language which can be used to attack them?
(or is there a thread somewhere that explains this?)

Yah, that's really all HTML... although there is some CSS in it too for part of it. HTML is all presentation layer. What people often fail to understand about the XSS cheat sheet is that they think it's about JavaScript. It's not. It's about HTML used to get JS on a page (there are a few exceptions like straight JS injection or header splitting, etc... but for the most part it's all HTML injection that causes JS to run). The Cheat Sheet is pretty complicated, and lots of it is only useful in very particular situations, so I don't blame you for feeling a little intimidated. But trust me, you can figure it out, it's not rocket science.

XSS isn't a language at all, it's just an HTML fragment that gets outputted by the server side code (in most cases). That's the easiest way to think of it. One of the obvious exceptions is stuff like anchor tags url/file/path/to/function.php#exploit-goes-here where it doesn't even get sent to the server, but JavaScript that runs client side does something unsafe with the anchor tag that causes code to run that the attacker controls.

I thought that HTML was "client based" while PHP was server-side, how does HTML become outputted by the server side code? (At least, that's what was hammered into my head during a basic php class.)

I've just finished my first and last exam (I swear, if I see another snippet of MARIE code or have to explain Skipcond one more time I will melt into a pile of smush!) so I had (another) look at the code and I think I've figured it out - except the A STYLE tag. Does that do anything?

I'd also like to point out that it is a very sneaky (because it looks scary!) bit of html, in my opinion!

Hi, I think I may as well make an introduction here since I like this site.
I'm not a hacker actually, just a guy who likes mess with various stuff, so don't expect any insight from me. I'm interested in a lot things from genetic algorithms to cg graphics, game development and php,sql,unix blah blah blah...

I hope my introduction wasn't too boring, anyway.
I'm just gonna say, that every time I read your blog, I learn something, and that's cool man!

Ers_Dokutn Wrote:
-------------------------------------------------------
> I'm not a hacker actually, just a guy who likes
> mess with various stuff,
I think most people agree that's what hacker really means in the normal sense.

Ers_Dokutn - Welcome to the boards! As Kyran said, I think a lot of people fall into that category. For many years I never thought of myself as a hacker, even though I had the 139th hacking site on the Internet (it was pretty terrible actually). But I'm sure if you have experience with different technologies you can be helpful when we talk about those specific technologies.

Hey all. Long time fan of ha.ckers and sla.ckers, I've been following the blog and lurking the forum for a while. I'm 20, still in college, on my second internship, and still very new to web app security. I know a little html/css (like larkadragon said above, "my jaw dropped" with that example) and have some idea behind some of the stuff you guys do. But... I'm doing my best to learn and I hope to contribute my own work some day. Still have RFC2616 on my plate :)